Bug#582204: [php-maint] Bug#582204: php5: expose_php should be off by default to remove X-Powered-By headers
tag 582204 +wontfix severity 582204 wishlist thank you Francois, I don't agree with you (however not much strongly). Security by obscurity never worked and I am oposed of applying this patch. Hiding version makes life harder for everybody else but attacker. Ondrej On Wed, May 19, 2010 at 06:53, Francois Marier franc...@debian.org wrote: Package: php5 Version: 5.3.2-1 Severity: normal Tags: patch I'm sure this has been mentioned before, but it would be nice if expose_php was disabled by default in php.ini. While these headers can be useful in development, they are also revealing the exact PHP version that the server is running. We don't need to make attackers' lives easier. This won't prevent a determined attacker from getting in, but it lowers the effectiveness of attacks based on mass scanning for vulnerable targets. Francois ___ pkg-php-maint mailing list pkg-php-ma...@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint -- Ondřej Surý ond...@sury.org http://blog.rfc1925.org/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582204: [php-maint] Bug#582204: php5: expose_php should be off by default to remove X-Powered-By headers
On 2010-05-19 at 08:25:31, Ondřej Surý wrote: I don't agree with you (however not much strongly). Security by obscurity never worked and I am oposed of applying this patch. Hiding version makes life harder for everybody else but attacker. Hi Ondřej, I certainly agree with you that this is not a real security mechanism, however, why make it easy on the dump automated scanners? What do people use these numbers for? I mean sure developers are the ones who are (occasionally) interested in exact version numbers, but on balance, I get the feeling that in a production environment, the numbers are more likely to be used for nefarious purposes. In any case, we're talking about the default value, interested developers can probably change them. Personally, as a Debian user, I have the expectation that Debian will choose (slightly) more secure values by default. Anyways, even though I disagree with this specific default value, I will respect your decision and this bug will be a record that: the option exists and that it has already been reported (I couldn't find one before I filed this one). Cheers, Francois -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org